How "LDAP Primary Retry Interval' works on AD/LDAP Authentication Source?
Radius Module Workflow:
- After Primary LDAP/AD source down, ClearPass sends the authentication request to the Backup servers in the Authentication source.
- If the Authentication is successful, ClearPass forwards all the authentication requests to the Backup server.
- Radius module will not fall back to the primary server again as long as the communication to the backup server is good or unless we restart the radius service.
Policy Module Workflow:
- After the Primary LDAP/AD server down, ClearPass sends the authorization request to one of the Backup servers in the Authorization source.
- If the Authorization successful, ClearPass forward all the requests to the Backup server.
- We can specify how long ClearPass can waits before it tries to connect to the Primary server.
- This can be configured under "Administration > Server Manager > Server Configuration > Select the server > Service Parameters > Policy Server: LDAP Primary Retry Interval
- By default it will set to "600 secs", we can modify this value.
- If Primary is down, ClearPass will wait for 600 secs and then check with the Primary server for AD/LDAP Authorization.
Screenshot from Authentication source with Backup Servers: